diff --git a/homes/x86_64-linux/matt@matt-nixos/default.nix b/homes/x86_64-linux/matt@matt-nixos/default.nix index 4dfb6f6..4f70e80 100755 --- a/homes/x86_64-linux/matt@matt-nixos/default.nix +++ b/homes/x86_64-linux/matt@matt-nixos/default.nix @@ -1,5 +1,4 @@ { - inputs, lib, pkgs, namespace, diff --git a/modules/nixos/services/arrs/default.nix b/modules/nixos/services/arrs/default.nix index 8c4d8ed..f54d07f 100644 --- a/modules/nixos/services/arrs/default.nix +++ b/modules/nixos/services/arrs/default.nix @@ -81,7 +81,8 @@ let secretFiles = [ config.sops.templates."sabnzbd.ini".path ]; - settings = { + configFile = null; + settings = lib.mkForce { misc = { host = "0.0.0.0"; port = 8280; diff --git a/modules/nixos/services/coturn/default.nix b/modules/nixos/services/coturn/default.nix index 7edc2c9..7e5a85a 100644 --- a/modules/nixos/services/coturn/default.nix +++ b/modules/nixos/services/coturn/default.nix @@ -56,18 +56,27 @@ let ''; }; networking.firewall = { - interfaces.enp197s0 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; - in - { - allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 5349 ]; - allowedTCPPortRanges = [ ]; - allowedTCPPorts = [ 3478 5349 ]; - }; + interfaces.enp197s0 = + let + range = with config.services.coturn; [ + { + from = min-port; + to = max-port; + } + ]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ + 3478 + 5349 + ]; + allowedTCPPortRanges = [ ]; + allowedTCPPorts = [ + 3478 + 5349 + ]; + }; }; }; }; diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index c145344..f5986f1 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -68,7 +68,7 @@ let settings = { server_name = "mjallen.dev"; public_baseurl = "https://matrix.mjallen.dev"; - serve_server_wellknown = true; + serve_server_wellknown = false; listeners = [ { @@ -106,7 +106,7 @@ let # Registration settings enable_registration = false; # Set to true initially to create admin user - enable_registration_without_verification = false; + enable_registration_without_verification = lib.mkForce false; # Media settings max_upload_size = "50M"; @@ -119,7 +119,10 @@ let server_name = "matrix.org"; } ]; - turn_uris = ["turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp"]; + turn_uris = [ + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" + ]; turn_shared_secret = config.services.coturn.static-auth-secret; turn_user_lifetime = "1h"; }; @@ -144,5 +147,8 @@ let }; in { - imports = [ matrixConfig ]; + imports = [ + matrixConfig + ./livekit.nix + ]; } diff --git a/modules/nixos/services/matrix/livekit.nix b/modules/nixos/services/matrix/livekit.nix index 41a9f4f..88e7f22 100644 --- a/modules/nixos/services/matrix/livekit.nix +++ b/modules/nixos/services/matrix/livekit.nix @@ -1,42 +1,49 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + namespace, + ... +}: let - cfg = config.${namespace}.services.${name}; + cfg = config.${namespace}.services.matrix; keyFile = "/run/livekit.key"; - file = pkgs.writeText "file.txt" '' - { - "m.homeserver": { - "base_url": "https://matrix.mjallen.dev" - }, - "m.identity_server": { - "base_url": "https://vector.im" - }, - "org.matrix.msc3575.proxy": { - "url": "https://matrix.mjallen.dev" - }, - "org.matrix.msc4143.rtc_foci": [ - { - "type": "livekit", "livekit_service_url": "https://mjallen.dev/livekit/jwt" - } - ] - } + file = pkgs.writeText ".well-known.json" '' + { + "m.homeserver": { + "base_url": "https://matrix.mjallen.dev" + }, + "m.identity_server": { + "base_url": "https://vector.im" + }, + "org.matrix.msc3575.proxy": { + "url": "https://matrix.mjallen.dev" + }, + "org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", "livekit_service_url": "https://mjallen.dev/livekit/jwt" + } + ] + } ''; in { - services.livekit = { - enable = true; - openFirewall = true; - settings.room.auto_create = false; - inherit keyFile; - }; - services.lk-jwt-service = { - enable = true; - # can be on the same virtualHost as synapse - livekitUrl = "wss://mjallen.dev/livekit/sfu"; - inherit keyFile; - }; config = lib.mkIf cfg.enable { + services.livekit = { + enable = true; + openFirewall = true; + settings.room.auto_create = false; + inherit keyFile; + }; + services.lk-jwt-service = { + enable = true; + port = 8585; + # can be on the same virtualHost as synapse + livekitUrl = "wss://mjallen.dev/livekit/sfu"; + inherit keyFile; + }; # generate the key when needed systemd.services.livekit-key = { before = [ @@ -58,33 +65,49 @@ in }; # restrict access to livekit room creation to a homeserver systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev"; - services.nginx.virtualHosts = { - "matrix.mjallen.dev".locations = { - "^~ /.well-known/matrix/client" = { - alias = file; - extraConfig = "default_type text/plain;"; + services.nginx = { + enable = true; + defaultHTTPListenPort = 8188; + virtualHosts = { + "matrix.mjallen.dev".locations = { + "= /.well-known/matrix/client" = { + alias = file; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + ''; + }; }; - "mjallen.dev".locations = { - "^~ /livekit/jwt/" = { - priority = 400; - proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; - }; - - "^~ /livekit/sfu/" = { - extraConfig = '' - proxy_send_timeout 120; - proxy_read_timeout 120; - proxy_buffering off; + "mjallen.dev".locations = { + "= /.well-known/matrix/client" = { + alias = file; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + ''; + }; - proxy_set_header Accept-Encoding gzip; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; - priority = 400; - proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/"; - proxyWebsockets = true; + "^~ /livekit/jwt/" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; + }; + + "^~ /livekit/sfu/" = { + extraConfig = '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + + proxy_set_header Accept-Encoding gzip; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + priority = 400; + proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/"; + proxyWebsockets = true; + }; }; }; - } + }; }; } diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix index 4d21f24..8f63ce5 100755 --- a/modules/nixos/services/traefik/default.nix +++ b/modules/nixos/services/traefik/default.nix @@ -296,6 +296,11 @@ in url = hassUrl; } ]; + nginx.loadBalancer.servers = [ + { + url = "http://localhost:8188"; + } + ]; } // reverseProxyServiceConfigs; @@ -312,6 +317,30 @@ in tls.certResolver = "letsencrypt"; }; + matrix2 = { + entryPoints = [ "websecure" ]; + rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)"; + service = "nginx"; + middlewares = [ + "crowdsec" + "whitelist-geoblock" + ]; + priority = 1; + tls.certResolver = "letsencrypt"; + }; + + matrix3 = { + entryPoints = [ "websecure" ]; + rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)"; + service = "nginx"; + middlewares = [ + "crowdsec" + "whitelist-geoblock" + ]; + priority = 1; + tls.certResolver = "letsencrypt"; + }; + cache = { entryPoints = [ "websecure" ]; rule = "Host(`cache.${domain}`)"; diff --git a/packages/librepods-beta/default.nix b/packages/librepods-beta/default.nix index 59a0b0a..a3feb58 100644 --- a/packages/librepods-beta/default.nix +++ b/packages/librepods-beta/default.nix @@ -9,7 +9,6 @@ wayland, libxkbcommon, libGL, - xorg, expat, fontconfig, freetype, diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index ea5e8a1..95f92b9 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -334,12 +334,17 @@ in tpm2-tools tpm2-tss ]; - # persistence."/media/nas/main/persist" = { - # hideMounts = true; - # directories = [ - - # ]; - # }; + persistence."/media/nas/main/persist" = { + hideMounts = true; + directories = [ + { + directory = "/var/lib/sabnzbd"; + user = "sabnzbd"; + group = "sabnzbd"; + mode = "u=rwx,g=rx,o=rx"; + } + ]; + }; }; networking.firewall.checkReversePath = false;